Congress Demands Answers from Instructure After ShinyHunters Hit Canvas with Double Cyberattack

The Canvas learning management platform has escalated into a crisis of federal proportions within the United States. Following a duo of incursions orchestrated by the ShinyHunters collective, educational institutions have grappled with extensive data exfiltration, defaced authentication portals, and critical systemic failures amidst the pressures of final examinations. Consequently, the House Committee on Homeland Security has formally demanded a comprehensive accounting from the leadership of Instructure, the parent corporation of Canvas.

Andrew Garbarino, the committee chairman, dispatched a stern missive to Instructure CEO Steve Daly. Legislators seek to ascertain how adversaries successfully compromised the company’s infrastructure twice within a single week, imperiling a platform utilized by tens of millions of students, educators, and administrators globally. Instructure itself characterizes Canvas as a vital service supporting over 30 million active users worldwide.

According to the committee’s correspondence, the inaugural assault occurred on May 1. During this breach, unauthorized actors secured access to the personally identifiable information (PII) of students and faculty. Instructure disclosed that the compromised data set included student names, personal email addresses, institutional identifiers, and private academic correspondence. The firm maintained, however, that passwords, financial telemetry, and government-issued identification remained unviolated.

The ShinyHunters syndicate proclaimed on its leak repository that it had harvested data pertaining to approximately 275 million individuals across nearly 9,000 global educational entities. While the committee noted that the veracity of these figures remains unverified, the profound disparity between Instructure’s public narrative and the magnitude alleged by the attackers necessitates a transparent and exhaustive investigation.

The crisis intensified on May 7 when ShinyHunters reportedly infiltrated Instructure’s systems once more, embedding ransom demands directly onto the Canvas login interfaces of institutions nationwide. Instead of the standard authentication portal, students were confronted with the collective’s ultimatum. These disruptions coincided with the critical conclusion of the academic semester, a period when schools and universities are most vulnerable to platform instability.

Confirmed victims spanned states including California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia, and Wisconsin. Intelligence from BleepingComputer suggests that this second wave was facilitated by several Cross-Site Scripting (XSS) vulnerabilities, enabling the adversaries to hijack authenticated administrative sessions and manipulate the portal’s source code.

In a statement attributed to the attackers, ShinyHunters asserted that they targeted Instructure anew because the corporation chose to deploy security patches rather than engage in negotiations. The syndicate threatened the total public disclosure of the purloined data on May 12, 2026, absent a settlement. Subsequently, Instructure’s name was expunged from the leak site as the company announced an agreement with the group. While Instructure stopped short of confirming a ransom payment, the collective updated its portal to declare the data “destroyed,” assuring victims that no further payments would be sought.

The Committee on Homeland Security views these successive compromises as a catalyst for rigorous inquiry into Instructure’s operational readiness. Legislators intend to evaluate the firm’s capacity to remediate vulnerabilities following an initial breach and its commitment to safeguarding institutional data. The committee has mandated a briefing from a senior Instructure representative no later than May 21, 2026, to detail the scope of the exfiltration, the efficacy of containment measures, and the nature of the firm’s collaboration with CISA and federal law enforcement.